diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/lnx_base64_decode.yml index b9ae9bc78..62620cf4b 100644 --- a/rules/linux/lnx_base64_decode.yml +++ b/rules/linux/lnx_base64_decode.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: base64_execution: - ProcessName|endswith: '/base64' + Image|endswith: '/base64' CommandLine|contains: '-d' condition: base64_execution falsepositives: diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index e6c71f424..11e904054 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/rm' # covers /rmdir as well - '/shred' CommandLine|contains: diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/lnx_file_and_directory_discovery.yml index 9b1a70130..61d35d415 100644 --- a/rules/linux/lnx_file_and_directory_discovery.yml +++ b/rules/linux/lnx_file_and_directory_discovery.yml @@ -11,15 +11,15 @@ logsource: product: linux detection: file_with_asterisk: - ProcessName|endswith: '/file' + Image|endswith: '/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline recursive_ls: - ProcessName|endswith: '/ls' + Image|endswith: '/ls' CommandLine|contains: '-R' find_execution: - ProcessName|endswith: '/find' + Image|endswith: '/find' tree_execution: - ProcessName|endswith: '/tree' + Image|endswith: '/tree' condition: 1 of them falsepositives: - Legitimate activities diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml index bc4c2ad39..b909a853c 100644 --- a/rules/linux/lnx_file_deletion.yml +++ b/rules/linux/lnx_file_deletion.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/rm' # covers /rmdir as well - '/shred' condition: selection diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml index 3595fb437..b1a9f61ee 100644 --- a/rules/linux/lnx_install_root_certificate.yml +++ b/rules/linux/lnx_install_root_certificate.yml @@ -14,7 +14,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/update-ca-certificates' - '/update-ca-trust' condition: selection diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml index c470ca6cb..2e31f466d 100644 --- a/rules/linux/lnx_local_account.yml +++ b/rules/linux/lnx_local_account.yml @@ -11,22 +11,22 @@ logsource: product: linux detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/lastlog' selection_2: CommandLine|contains: - "'x:0:'" selection_3: - ProcessName|endswith: + Image|endswith: - '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_4: - ProcessName|endswith: + Image|endswith: - '/id' selection_5: - ProcessName|endswith: + Image|endswith: - '/lsof' CommandLine|contains: - '-u' diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml index 3ca19f538..8df8a8157 100644 --- a/rules/linux/lnx_local_groups.yml +++ b/rules/linux/lnx_local_groups.yml @@ -11,10 +11,10 @@ logsource: product: linux detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/groups' selection_2: - ProcessName|endswith: + Image|endswith: - '/cat' CommandLine|contains: - '/etc/group' diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml index 40ad7cd2a..831c1dac9 100644 --- a/rules/linux/lnx_network_service_scanning.yml +++ b/rules/linux/lnx_network_service_scanning.yml @@ -20,11 +20,11 @@ logsource: definition: 'Detect netcat and filter our listening mode' detection: netcat: - ProcessName|endswith: + Image|endswith: - '/nc' - '/netcat' network_scanning_tools: - ProcessName|endswith: + Image|endswith: - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning - '/nmap' netcat_listen_flag: diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index 863879928..bee127ac9 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection: - - ProcessName|endswith: + - Image|endswith: - '/ps' - '/top' condition: selection diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml index b48af1122..218053e15 100644 --- a/rules/linux/lnx_remote_system_discovery.yml +++ b/rules/linux/lnx_remote_system_discovery.yml @@ -11,10 +11,10 @@ logsource: product: linux detection: selection_1: - ProcessName|endswith: '/arp' + Image|endswith: '/arp' CommandLine|contains: '-a' selection_2: - ProcessName|endswith: '/ping' + Image|endswith: '/ping' CommandLine|contains: - ' 10.' #10.0.0.0/8 - ' 192.168.' #192.168.0.0/16 diff --git a/rules/linux/lnx_schedule_task_job_cron.yml b/rules/linux/lnx_schedule_task_job_cron.yml index dc37f2270..cd2540f96 100644 --- a/rules/linux/lnx_schedule_task_job_cron.yml +++ b/rules/linux/lnx_schedule_task_job_cron.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: selection: - ProcessName|endswith: + Image|endswith: - 'crontab' CommandLine|contains: - '/tmp/' diff --git a/rules/linux/lnx_security_software_discovery.yml b/rules/linux/lnx_security_software_discovery.yml index 5a94b29c0..37a7f7871 100644 --- a/rules/linux/lnx_security_software_discovery.yml +++ b/rules/linux/lnx_security_software_discovery.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: grep_execution: - ProcessName|endswith: '/grep' + Image|endswith: '/grep' security_services_and_processes: CommandLine|contains: - 'nessusd' # nessus vulnerability scanner diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 8f812b387..8d1f16177 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -20,65 +20,65 @@ logsource: product: linux detection: iptables_1: - ProcessName|endswith: '/service' + Image|endswith: '/service' CommandLine|contains|all: - 'iptables' - 'stop' iptables_2: - ProcessName|endswith: '/service' + Image|endswith: '/service' CommandLine|contains|all: - 'ip6tables' - 'stop' iptables_3: - ProcessName|endswith: '/chkconfig' + Image|endswith: '/chkconfig' CommandLine|contains|all: - 'iptables' - 'stop' iptables_4: - ProcessName|endswith: '/chkconfig' + Image|endswith: '/chkconfig' CommandLine|contains|all: - 'ip6tables' - 'stop' firewall_1: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'stop' firewall_2: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'disable' carbonblack_1: - ProcessName|endswith: '/service' + Image|endswith: '/service' CommandLine|contains|all: - 'cbdaemon' - 'stop' carbonblack_2: - ProcessName|endswith: '/chkconfig' + Image|endswith: '/chkconfig' CommandLine|contains|all: - 'cbdaemon' - 'off' carbonblack_3: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'stop' carbonblack_4: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'disable' selinux: - ProcessName|endswith: '/setenforce' + Image|endswith: '/setenforce' CommandLine|contains: '0' crowdstrike_1: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'stop' - 'falcon-sensor' crowdstrike_2: - ProcessName|endswith: '/systemctl' + Image|endswith: '/systemctl' CommandLine|contains|all: - 'disable' - 'falcon-sensor' diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index eabff7636..c74cb3010 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -19,7 +19,7 @@ logsource: categories: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/uname' - '/hostname' - '/uptime' diff --git a/rules/linux/lnx_system_network_connections_discovery.yml b/rules/linux/lnx_system_network_connections_discovery.yml index 1bab3e4c7..5f9642370 100644 --- a/rules/linux/lnx_system_network_connections_discovery.yml +++ b/rules/linux/lnx_system_network_connections_discovery.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: selection: - ProcessName|endswith: + Image|endswith: - '/who' - '/w' - '/last' diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index af22539c4..541737062 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -8,10 +8,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md logsource: category: process_creation - product: unix + product: linux detection: selection1: - ProcessName|endswith: + Image|endswith: - '/firewall-cmd' - '/ufw' - '/iptables' diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos_applescript.yml index 6596c27d5..38daf676a 100644 --- a/rules/linux/macos_applescript.yml +++ b/rules/linux/macos_applescript.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: + Image|endswith: - '/osascript' CommandLine|contains|all: - '-e' diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos_base64_decode.yml index 7d7488048..4afeec596 100644 --- a/rules/linux/macos_base64_decode.yml +++ b/rules/linux/macos_base64_decode.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: base64_execution: - ProcessName: '/usr/bin/base64' + Image: '/usr/bin/base64' CommandLine|contains: '-d' condition: base64_execution falsepositives: diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml index b4c676db0..843b2aa61 100644 --- a/rules/linux/macos_binary_padding.yml +++ b/rules/linux/macos_binary_padding.yml @@ -13,12 +13,12 @@ logsource: category: process_creation detection: selection1: - ProcessName|endswith: + Image|endswith: - '/truncate' CommandLine|contains: - '-s' selection2: - ProcessName|endswith: + Image|endswith: - '/dd' CommandLine|contains: - 'if=' diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml index 1267cb82c..f30750331 100644 --- a/rules/linux/macos_change_file_time_attr.yml +++ b/rules/linux/macos_change_file_time_attr.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection1: - ProcessName|endswith: '/touch' + Image|endswith: '/touch' selection2: CommandLine|contains: - '-t' diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml index e5aecc052..055cc98e9 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos_clear_system_logs.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection1: - - ProcessName|endswith: '/rm' + - Image|endswith: '/rm' selection2: CommandLine|contains: '/var/log' selection3: diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml index 915f90488..6bde23a2a 100644 --- a/rules/linux/macos_create_account.yml +++ b/rules/linux/macos_create_account.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: + Image|endswith: - '/dscl' CommandLine|contains: - 'create' diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml index 3a97aab8e..95890a4bf 100644 --- a/rules/linux/macos_create_hidden_account.yml +++ b/rules/linux/macos_create_hidden_account.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: dscl_create: - ProcessName|endswith: '/dscl' + Image|endswith: '/dscl' CommandLine|contains: 'create' id_below_500: CommandLine|contains: UniqueID diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml index 8a84e85ce..2c983500b 100644 --- a/rules/linux/macos_disable_security_tools.yml +++ b/rules/linux/macos_disable_security_tools.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: launchctl_unload: - ProcessName: '/bin/launchctl' + Image: '/bin/launchctl' CommandLine|contains: 'unload' security_plists: CommandLine|contains: @@ -31,7 +31,7 @@ detection: - 'packetbeat' # elastic network logger/shipper - 'td-agent' # fluentd log shipper disable_gatekeeper: - ProcessName: '/usr/sbin/spctl' + Image: '/usr/sbin/spctl' CommandLine|contains: 'disable' condition: (launchctl_unload and security_plists) or disable_gatekeeper falsepositives: diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos_file_and_directory_discovery.yml index dca23a49d..6e16e85d8 100644 --- a/rules/linux/macos_file_and_directory_discovery.yml +++ b/rules/linux/macos_file_and_directory_discovery.yml @@ -11,17 +11,17 @@ logsource: product: macos detection: file_with_asterisk: - ProcessName: '/usr/bin/file' + Image: '/usr/bin/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline recursive_ls: - ProcessName: '/bin/ls' + Image: '/bin/ls' CommandLine|contains: '-R' find_execution: - ProcessName: '/usr/bin/find' + Image: '/usr/bin/find' mdfind_execution: - ProcessName: '/usr/bin/mdfind' + Image: '/usr/bin/mdfind' tree_execution|endswith: - ProcessName: '/tree' + Image: '/tree' condition: 1 of them falsepositives: - Legitimate activities diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml index 5fd340fb5..2f47f1034 100644 --- a/rules/linux/macos_find_cred_in_files.yml +++ b/rules/linux/macos_find_cred_in_files.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection1: - ProcessName|endswith: + Image|endswith: - '/grep' CommandLine|contains: - 'password' diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml index 711705d36..22b42e1c4 100644 --- a/rules/linux/macos_gui_input_capture.yml +++ b/rules/linux/macos_gui_input_capture.yml @@ -12,7 +12,7 @@ logsource: category: process_creation detection: selection1: - ProcessName: + Image: - '/usr/sbin/osascript' selection2: Commandline|contains|all: diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml index 97aecfc82..638fb1ba9 100644 --- a/rules/linux/macos_local_account.yml +++ b/rules/linux/macos_local_account.yml @@ -11,13 +11,13 @@ logsource: product: macos detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/dscl' CommandLine|contains|all: - 'list' - '/users' selection_2: - ProcessName|endswith: + Image|endswith: - '/dscacheutil' CommandLine|contains|all: - '-q' @@ -26,16 +26,16 @@ detection: CommandLine|contains: - "'x:0:'" selection_4: - ProcessName|endswith: + Image|endswith: - '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_5: - ProcessName|endswith: + Image|endswith: - '/id' selection_6: - ProcessName|endswith: + Image|endswith: - '/lsof' CommandLine|contains: - '-u' diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml index e914d3326..2c26fc45f 100644 --- a/rules/linux/macos_local_groups.yml +++ b/rules/linux/macos_local_groups.yml @@ -11,18 +11,18 @@ logsource: product: macos detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/dscacheutil' CommandLine|contains|all: - '-q' - 'group' selection_2: - ProcessName|endswith: + Image|endswith: - '/cat' CommandLine|contains: - '/etc/group' selection_3: - ProcessName|endswith: + Image|endswith: - '/dscl' CommandLine|contains|all: - '-list' diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml index 09bcef383..8faa5b721 100644 --- a/rules/linux/macos_network_service_scanning.yml +++ b/rules/linux/macos_network_service_scanning.yml @@ -11,11 +11,11 @@ logsource: product: macos detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/nc' - '/netcat' selection_2: - ProcessName|endswith: + Image|endswith: - '/nmap' - '/telnet' filter: diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml index a30534aef..cf316429b 100644 --- a/rules/linux/macos_network_sniffing.yml +++ b/rules/linux/macos_network_sniffing.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: + Image|endswith: - '/tcpdump' - '/tshark' condition: selection diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index 6ec947914..dbe79e461 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -11,12 +11,12 @@ logsource: product: macos detection: selection_1: - ProcessName|endswith: + Image|endswith: - '/arp' CommandLine|contains: - '-a' selection_2: - ProcessName|endswith: + Image|endswith: - '/ping' CommandLine|contains: - ' 10.' #10.0.0.0/8 diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos_schedule_task_job_cron.yml index 9746a0ff6..c757d014f 100644 --- a/rules/linux/macos_schedule_task_job_cron.yml +++ b/rules/linux/macos_schedule_task_job_cron.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: + Image|endswith: - '/crontab' CommandLine|contains: - '/tmp/' diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos_screencapture.yml index 7cc9bc983..18fb1bf32 100644 --- a/rules/linux/macos_screencapture.yml +++ b/rules/linux/macos_screencapture.yml @@ -12,7 +12,7 @@ logsource: category: process_creation detection: selection: - ProcessName: '/usr/sbin/screencapture' + Image: '/usr/sbin/screencapture' condition: selection falsepositives: - Legitimate user activity taking screenshots diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml index 320eb89fd..b26fbcd16 100644 --- a/rules/linux/macos_security_software_discovery.yml +++ b/rules/linux/macos_security_software_discovery.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: grep_execution: - ProcessName: '/usr/bin/grep' + Image: '/usr/bin/grep' security_services_and_processes: CommandLine|contains: - 'nessusd' # nessus vulnerability scanner diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml index 5f6a20269..b19c5aeab 100644 --- a/rules/linux/macos_split_file_into_pieces.yml +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: '/split' + Image|endswith: '/split' condition: selection falsepositives: - 'Legitimate administrative activity' diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos_system_network_connections_discovery.yml index 32f1ad5bf..8503e7803 100644 --- a/rules/linux/macos_system_network_connections_discovery.yml +++ b/rules/linux/macos_system_network_connections_discovery.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName: + Image: - '/usr/bin/who' - '/usr/bin/w' - '/usr/bin/last' diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml index 2bf068e4e..f754a1e3c 100644 --- a/rules/linux/macos_system_network_discovery.yml +++ b/rules/linux/macos_system_network_discovery.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection1: - ProcessName: + Image: - '/usr/sbin/netstat' - '/sbin/ifconfig' - '/usr/sbin/ipconfig' @@ -19,7 +19,7 @@ detection: - '/usr/sbin/networksetup' - '/usr/sbin/arp' selection2: - ProcessName: '/usr/bin/defaults' + Image: '/usr/bin/defaults' Commandline|contains|all: - 'read' - '/Library/Preferences/com.apple.alf' diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml index e461aed89..e7b463653 100644 --- a/rules/linux/macos_system_shutdown_reboot.yml +++ b/rules/linux/macos_system_shutdown_reboot.yml @@ -13,7 +13,7 @@ logsource: category: process_creation detection: selection: - ProcessName|endswith: + Image|endswith: - '/shutdown' - '/reboot' - '/halt' diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos_xattr_gatekeeper_bypass.yml index 989190a43..8c4ac76c2 100644 --- a/rules/linux/macos_xattr_gatekeeper_bypass.yml +++ b/rules/linux/macos_xattr_gatekeeper_bypass.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - ProcessName|endswith: '/xattr' + Image|endswith: '/xattr' CommandLine|contains|all: - '-r' - 'com.apple.quarantine' diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index bed167c16..02603871b 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - ProcessName|endswith: + Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains|all: diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml index 90bcb4c4b..faf030a3d 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/win_apt_slingshot.yml @@ -21,7 +21,7 @@ logsource: product: windows detection: selection1: - ProcessName|endswith: '\schtasks.exe' + Image|endswith: '\schtasks.exe' CommandLine|contains|all: - '/delete' - 'Defrag\ScheduledDefrag' diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml index 4c322dfd6..7d90d5575 100644 --- a/rules/windows/process_creation/win_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -19,17 +19,17 @@ logsource: product: windows detection: selection1: - ProcessName|endswith: '\svchost.exe' + Image|endswith: '\svchost.exe' CommandLine|contains|all: - 'C:\Users\' - '\Desktop\' selection2: ParentImage|endswith: '\svchost.exe' selection3: - ProcessName|endswith: '\whoami.exe' + Image|endswith: '\whoami.exe' CommandLine|contains: 'all' selection4: - ProcessName|endswith: + Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: 'view'